Forum Discussion

Wasfi_Bounni's avatar
Wasfi_Bounni
Icon for Cirrocumulus rankCirrocumulus
Sep 24, 2023

Is the update and application of new AWAF attack signatures "Service Affecting"?

Hi;

Is the update and application of new AWAF or ASM attack signatures "Service Affecting"? Also does applying the new attack signatures entail a reboot of the device?

Kindly

Wasfi

application delivery
security
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Sep 24, 2023

    Hi Wasfi_Bounni , 
    Yes , it may impcat you. 

    and not it depends : 

    1. you want to enforce signtaures immediately. ( may impact you and produce false positives ) 
    2. you can keep these signature under learning for a while ( Readness period "default 7 days" ) 

    Open ( Security >> Application security >> Learning and blocking settinngs >>> Attack signatures ) 

    - If you want to enforce it directley : 
    open this : 

     

    Make sure ( you're selecting enforce updated rule immediately ...... ). 
    >>> by doing this all newly updated signature will be enforced directly. 

    - If you want to keep updated signature for a while and in learning and after checking your learning suggestion to take your decision : 

    modify your configuration like this : 



    >>> performing this shoud put your newly signatures in statging waiting the ( Readness period to be fininshed ) to be ready to be enforced and you will work on parallel on learning suggestions ( Accept / delete suggestions ) based on your analysis in suggestions collected from requests samples. 

    I hope this helps you 🙂 

  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Sep 24, 2023

    Hi Wasfi_Bounni , 
    Yes , it may impcat you. 

    and not it depends : 

    1. you want to enforce signtaures immediately. ( may impact you and produce false positives ) 
    2. you can keep these signature under learning for a while ( Readness period "default 7 days" ) 

    Open ( Security >> Application security >> Learning and blocking settinngs >>> Attack signatures ) 

    - If you want to enforce it directley : 
    open this : 

     

    Make sure ( you're selecting enforce updated rule immediately ...... ). 
    >>> by doing this all newly updated signature will be enforced directly. 

    - If you want to keep updated signature for a while and in learning and after checking your learning suggestion to take your decision : 

    modify your configuration like this : 



    >>> performing this shoud put your newly signatures in statging waiting the ( Readness period to be fininshed ) to be ready to be enforced and you will work on parallel on learning suggestions ( Accept / delete suggestions ) based on your analysis in suggestions collected from requests samples. 

    I hope this helps you 🙂 

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Sep 24, 2023

    It depends what you mean with "service affecting" ... as to your second question, it wont reboot the device and it will also not restart BIG-IP services or such causing general traffic interuptions.

    as Mohamed explains it might affect your service if a false positive occurs in the new signatures and they are applied in blocking mode. this is always a tricky choice, perhaps some interuption but auto update. or long checking and testing. your choice in the end.